BHack 2012 - How to protect your web applications
•
1 like•595 views
BHack 2012 - How to protect your web applications Junho de 2012 em Belo Horizonte, MG http://bhack.com.br/
Report
Share
Report
Share
Download to read offline
Recommended
Just4Meeting 2012 - How to protect your web applications
Just4Meeting 2012 - How to protect your web applications
Julho de 2012 em Cascais, Portugal.
http://www.just4meeting.com/
Vulnerability management and threat detection by the numbers
Managing application and host security issues at scale. how to scale application security in the SDLC.
Using the edgescan SaaS to achieve this.
Presented at DaggerCon 2015, Dublin Ireland.
Make Your UI Tests Resilient with the Next Generation of Frameworks
A big problem with test automation on any platform or operating system is synchronizing test automation interactions with the UI. It is challenging to know when the UI is ready for the next automated click(). Traditional black box tools try to address this problem by explicit or implicit waiting, but this technique is slow and error-prone. A new generation of test frameworks, starting with Espresso, understands the internals of the app and synchronizes interactions only when the view is ready, making the framework very fast and reliable. This same technique is making Cypress and EarlGrey popular. Join Satyajit Malugu to discover how peeking below the surface of the system under test makes tests less flaky. You'll leave with an understanding of synchronization, black box versus gray box testing, and how to implement them in your own frameworks.
8 Blind Spots Often Overlooked When Testing on Mobile
You don’t want to overlook anything when it comes to mobile performance testing. So in order to save you from the pain of missing those little things, we’ve put together a SlideShare guide highlighting eight testing blind spots. Use it as a checklist – you may even want to print it out and keep it on your fridge.
Translating Tester-Speak Into Plain English: Simple Explanations for 8 Testin...
The software testing industry's buzzwords can be hard to decipher at times, especially when trying to explain these buzzwords to fellow co-workers within your organization who don't really have a clue what you're talking about. Buzzwords are unavoidable, however, there needs to be a clear understanding of what a buzzword is and the testing buzzwords you should know.
The Journey to DevSecOps
This document discusses the evolution of DevSecOps and provides guidance for security professionals. It notes that DevSecOps approaches have gained popularity as DevOps has grown over the past decade. It recommends that security professionals focus on detection over protection, embrace a blameless culture of continuous improvement, and get involved in DevSecOps communities to help build security tools and practices.
OWASP Bricks presentation from OWASP-Null combined meet at Delhi, August 2014
OWASP Bricks presentation from OWASP-Null combined meet at Delhi, August 2014
http://www.youtube.com/watch?v=pPg8bA7ps3U
Silver Lining for Miles: DevOps for Building Security Solutions
This document summarizes a presentation about how security teams can adapt to DevOps and continuous deployment models. It discusses how code deployment has shifted to near-instantaneous changes, security is no longer a gatekeeper, and workarounds will happen if security causes delays. To embrace agility, security must decentralize and provide visibility into the development process for all teams, not just security, by surfacing security data. The key lessons are that embracing DevOps actually helps rather than harms security when done with visibility across rapid iterative changes.
Recommended
Just4Meeting 2012 - How to protect your web applications
Just4Meeting 2012 - How to protect your web applications
Julho de 2012 em Cascais, Portugal.
http://www.just4meeting.com/
Vulnerability management and threat detection by the numbers
Managing application and host security issues at scale. how to scale application security in the SDLC.
Using the edgescan SaaS to achieve this.
Presented at DaggerCon 2015, Dublin Ireland.
Make Your UI Tests Resilient with the Next Generation of Frameworks
A big problem with test automation on any platform or operating system is synchronizing test automation interactions with the UI. It is challenging to know when the UI is ready for the next automated click(). Traditional black box tools try to address this problem by explicit or implicit waiting, but this technique is slow and error-prone. A new generation of test frameworks, starting with Espresso, understands the internals of the app and synchronizes interactions only when the view is ready, making the framework very fast and reliable. This same technique is making Cypress and EarlGrey popular. Join Satyajit Malugu to discover how peeking below the surface of the system under test makes tests less flaky. You'll leave with an understanding of synchronization, black box versus gray box testing, and how to implement them in your own frameworks.
8 Blind Spots Often Overlooked When Testing on Mobile
You don’t want to overlook anything when it comes to mobile performance testing. So in order to save you from the pain of missing those little things, we’ve put together a SlideShare guide highlighting eight testing blind spots. Use it as a checklist – you may even want to print it out and keep it on your fridge.
Translating Tester-Speak Into Plain English: Simple Explanations for 8 Testin...
The software testing industry's buzzwords can be hard to decipher at times, especially when trying to explain these buzzwords to fellow co-workers within your organization who don't really have a clue what you're talking about. Buzzwords are unavoidable, however, there needs to be a clear understanding of what a buzzword is and the testing buzzwords you should know.
The Journey to DevSecOps
This document discusses the evolution of DevSecOps and provides guidance for security professionals. It notes that DevSecOps approaches have gained popularity as DevOps has grown over the past decade. It recommends that security professionals focus on detection over protection, embrace a blameless culture of continuous improvement, and get involved in DevSecOps communities to help build security tools and practices.
OWASP Bricks presentation from OWASP-Null combined meet at Delhi, August 2014
OWASP Bricks presentation from OWASP-Null combined meet at Delhi, August 2014
http://www.youtube.com/watch?v=pPg8bA7ps3U
Silver Lining for Miles: DevOps for Building Security Solutions
This document summarizes a presentation about how security teams can adapt to DevOps and continuous deployment models. It discusses how code deployment has shifted to near-instantaneous changes, security is no longer a gatekeeper, and workarounds will happen if security causes delays. To embrace agility, security must decentralize and provide visibility into the development process for all teams, not just security, by surfacing security data. The key lessons are that embracing DevOps actually helps rather than harms security when done with visibility across rapid iterative changes.
DevSecCon Asia 2017 Arun N: Securing chatops
This document discusses securing ChatOps workflows. It begins by introducing ChatOps and how the architecture works, with chat apps and bots playing big roles. Hubot is highlighted as a popular bot option. Typical CI/CD workflows are shown integrating with chat notifications. Risks of potential loopholes are discussed when using ChatOps. The document focuses on plugging these loopholes by implementing two-factor authentication, restricting access via hardware/software tokens, defining user roles, limiting access across multiple chat systems/rooms, and setting fine-grained IAM policies for bots running on platforms like AWS.
Top Practices for Successful Mobile Test Automation
Mobile apps bring a new set of challenges to testing—fast-paced development cycles with multiple releases per week, multiple app technologies and development platforms to support, dozens of devices and form factors, and additional pressure from enterprise and consumers who are less than patient with low quality apps. And with these new challenges comes a new set of mistakes testers can make! Fred Beringer works with dozens of mobile test teams to help them avoid common traps when building test automation for mobile apps. Fred shares some useful best practices, starting with mobile test automation. He explains what and where to automate, how to build testability into a mobile app, how to handle unreliable back-end calls and different device performance, and how to automate the automation. Fred shares real customer stories and shows how small changes in process can make mobile apps ten times more reliable.
Ops Happen: Improve Security Without Getting in the Way
The document discusses how operations and security teams are under pressure to deploy code faster while maintaining reliability and security, and proposes a "shift left" approach to incident response where developers define procedures for fixing issues in their code and are responsible for responding to incidents involving that code. It describes a design pattern where organizations establish a secure operations portal, develop an SDLC for operations procedures, and connect with management systems to enable developers to more proactively address operations and security issues.
Amy DeMartine - 7 Habits of Rugged DevOps
The document outlines seven habits that DevOps teams can adopt to increase application security. The habits are: 1) Increase trust and transparency between development, security, and operations teams. 2) Understand the probability and impact of specific security risks. 3) Discard detailed security roadmaps in favor of incremental improvements. 4) Use continuous delivery pipelines to incrementally improve security practices. 5) Standardize and continuously update third-party software. 6) Govern with automated audit trails. 7) Test security preparedness through "security games". Adopting these habits helps integrate security across the development lifecycle to reduce vulnerability discovery and remediation time.
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases
This document summarizes two real world cases where companies implemented security automation to help address challenges of securing applications in agile development environments. The first case involved an insurance company transitioning to DevOps and agility, where integrated automated testing helped provide security visibility and training. The second case involved a retailer with an established agile shop where a process-driven security workflow was created to integrate testing into their DevOps pipeline on a weekly basis. Both cases aimed to balance rapid development needs with continuous security.
DevOps and the Future of Information Security
This document discusses how DevOps affects information security. It begins by motivating the talk and explaining that information systems need higher quality and faster delivery. Security is often an afterthought in development. The document then discusses what DevOps truly means, debunking several myths including that it replaces Agile or is incompatible with security and compliance. DevOps is explained as a way of thinking about work that emphasizes team collaboration across development and operations. This enables more efficient risk mitigation and implementation of security principles throughout the software development lifecycle.
Turning security into code by Jeff Williams
Jeff Williams discusses turning security into code by adopting a DevOps approach to application security. He outlines three "ways" to do this: 1) Establish a continuous security workflow, 2) Ensure instant security feedback loops, and 3) Encourage a security-focused culture. The goal is to make security work an integral part of the development process through automation, integration, and cultural changes.
The R.O.A.D to DevOps
Dan Glass, CISO of American Airlines, presented on developing rugged systems through an approach called Rugged DevOps. The presentation outlined four focus areas - Rugged Systems, Operational Excellence, Actionable Intelligence, and Defensible Platforms. For each area, Glass provided 3-4 sentences on how American Airlines will ensure systems can withstand hostile environments, adapt to changes, meet enterprise standards, maintain reliability through standardization, harvest and analyze data to enable quick decisions, and develop platforms that are hardened and can withstand attacks. The presentation concluded by answering questions on how to discuss products with vendors, changing mindsets, and balancing automation, legacy systems, and accountability.
TDC PoA submission
This document provides an introduction to DevSecOps, which involves integrating security teams and practices into the development lifecycle earlier through a "shift left" approach. It discusses threat modeling to understand security risks, using static and dynamic application security testing tools, checking for vulnerabilities in open source dependencies, securing infrastructure, and defining metrics to measure the effectiveness of applying security measures earlier. The goal of DevSecOps is to find and fix security issues as early as possible through continuous integration and delivery of secure software.
Lessons learned from Detroit to Deming by Derek Weeks
This document discusses the importance of DevSecOps and securing the software supply chain. It notes that modern applications and containers are increasingly assembled from many components, with 80-90% consisting of assembled parts. However, many open source components have known vulnerabilities, with only around 15-16% being fixed. It advocates for treating security as a system property and not passing defects downstream. The rewards of a trusted software supply chain include improvements like 90% faster deployments and 48% better application quality. Businesses are ultimately responsible for securing their data and systems.
Continuous Delivery in the World of Enterprise PHP
This document discusses continuous delivery in the context of enterprise PHP applications. It begins with brief biographical information about the presenter, Joshua Solomin, identifying him as an enterprise software expert, baker, and biker. It then discusses how open source and agility are linked. The document notes that agile development alone is not enough, as most developers experience delays in deploying code to production environments, often due to a lack of collaboration, automation, inconsistent environments, or lack of visibility. It advocates for continuous delivery practices like automation, testing, and release automation to improve deployment speed while maintaining quality. The document shares lessons learned from implementing PHP continuous delivery processes and notes that investment in DevOps and continuous delivery can yield results.
[OWASP Poland Day] Security in developer's life
This document discusses how to integrate security practices into the developer life cycle from the initial interview through onboarding and ongoing development. It recommends assessing security knowledge in interviews, providing security guides and resources for new developers, measuring reading of guides through quizzes, and using metrics to improve security processes over time. The goal is to make developers aware of security best practices from their first days of work and involve them in an ongoing security culture.
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
This webinar on DevOps and security will cover the definition of DevOps, common security challenges with the DevOps model, and how to take a "SecDevOps" approach to embed security into the development process. The presenters will discuss recommendations like increasing trust between development and security teams, using a continuous delivery pipeline to incrementally improve security, and including security as acceptance criteria for user stories. Questions from attendees will be answered at the end.
The Mobile Tester - Your place in the team with Stephen Janaway [Webinar]
Stephen Janaway of the NET-A-PORTER GROUP gave this presentation on mobile testing as part of the TEST Huddle Mobile Testing Webinar Series.
Being a tester on a mobile team is not easy. As well as a multitude of devices and OS versions to test, you find yourself being a part of extremely fast paced projects, where the need to ship an application is often seen as most important. Frequently you are the only tester in the team. In this webinar, Stephen explains some strategies to help you adapt and excel in the challenging world of mobile development.
Key Takeaways:
Why mobile development is different
The testers place in a mobile team
How you can adapt and excel
Watch the recording of the webinar here: http://testhuddle.com/resource/the-mobile-tester-your-place-in-the-team/
Zen and the art of Security Testing
Some security experts would tell you that security testing is very different from functional or non-functional software testing. They are wrong. Having worked on both sides, Paco gives 3 specific recommendations for how testers can make significant contributions to the security of their software and applications by making small changes to the way they do their software testing. The first technique has to do with selecting points in the user journey that are ripe for security testing. The second is to leverage some common free tools that enable security tests. The final technique is adjusting old school boundary value testing and equivalence class partitioning to incorporate security tests. The result is a lot of security testing done and issues fixed long before any security specialists arrive.
Key Takeaways:
-Great places in the user journey to inject security tests
- Ways to augment existing test approaches to cover security concerns
- Typical security tools that are free, cheap, and easy for software testers
Secured Development
Burhan Khalid presented on secure software development practices. He discussed the three Ps of security - People, Process, and Persistence/Practice. He emphasized that security is not just about products but also development practices. Standards for secure development include SSE-CMM, TSP-Secure, and SAMM. Practical best practices include standardizing infrastructure, isolating development environments, peer reviews, centralized bug tracking, and using appropriate tools and frameworks. Common myths debunked are that complex passwords are secure, closed source is less secure than open source, and third party testing ensures code security.
2016 - Daniel Lebrero - REPL driven development
New computers have more and more available memory which for us, programmers means we can use more memory in our applications.
However in JAVA (actually all JVM based languages) at some certain point things may get tricky, especially when we expect from our applications to be responsive all the time. This talk will focus on Garbage First collector (the new default in JDK9) which is the newest algorithm available in HotSpot JVM (not so new though) and the only one which can handle 32+GB heap size without blocking your application threads for longer than 200ms. After this talk you will have overview how G1 works, how to read the log, spot common problems and which gc settings you should avoid.
The current state of mobile testing by stephen janaway
We are increasingly moving towards mobile devices to fulfil our day-to-day computing needs. More smartphones are sold than PCs but many people are unclear on what changes to test strategies are needed when working with mobile. The rate of change within the mobile world is rapid and mobile projects are typically equally fast paced. Currently available tools are less mature than their desktop counterparts, and all of this can combine to make a mobile testing strategy more difficult to define.
This webinar will seek to answer come common challenges one may face when starting to test mobile devices or applications, and answer some of the common questions that typically arise. Put simply, it will help you start your mobile project right, or help you make changes to an existing strategy to make it more effective.
www.eurostarconferences.com
www.testhuddle.com
The Security Pro's Guide to DevSecOps: How to Get Developers To Write Secure ...
Security pros have written countless jokes and comics maligning developers' exultant disregard for security and lauding their own long-suffering devotion to repairing reckless dev teams' vulnerable code. Yet, this narrative -- which does nothing to improve application security -- has gone on long enough. This session will help you change the conversation and the trend. You'll learn how to speak developers' language, learn about the real pressures they face in a continuous delivery environment, and discover how to get Dev, Ops, and Security teams aligned and focused on a singular goal.
Shift Left. Wait, what? No, Shift Right!!!
Presented on November 7, 2018 at Triangle DevOps (https://www.meetup.com/triangle-devops/).
Recently in the DevSecOps world there has been a call to shift left. However, application security has been shifting left for years already. What we should be doing is shifting application security to the right (production). This can be done by instrumenting applications for security.
_Best practices towards a well-polished DevSecOps environment (1).pdf
DevSecOps is a software development approach that encourages the adoption of security throughout the whole software development lifecycle. It favors security automation, communication, and scalability in the entire IT environments. DevSecOps infuses security practices in the DevOps process.
Гірка правда про безпеку програмного забезпечення, Володимир Стиран
This document discusses common problems with how application security is implemented. It argues that software developers often lack security knowledge and focus on functionality over security. Security teams also lack development experience and focus on compliance over practical security. As a result, security is treated as an afterthought through ineffective practices like sole reliance on penetration testing. The document recommends a proper Secure Development Lifecycle approach involving security training, secure coding practices, testing and ongoing improvements.
More Related Content
What's hot
DevSecCon Asia 2017 Arun N: Securing chatops
This document discusses securing ChatOps workflows. It begins by introducing ChatOps and how the architecture works, with chat apps and bots playing big roles. Hubot is highlighted as a popular bot option. Typical CI/CD workflows are shown integrating with chat notifications. Risks of potential loopholes are discussed when using ChatOps. The document focuses on plugging these loopholes by implementing two-factor authentication, restricting access via hardware/software tokens, defining user roles, limiting access across multiple chat systems/rooms, and setting fine-grained IAM policies for bots running on platforms like AWS.
Top Practices for Successful Mobile Test Automation
Mobile apps bring a new set of challenges to testing—fast-paced development cycles with multiple releases per week, multiple app technologies and development platforms to support, dozens of devices and form factors, and additional pressure from enterprise and consumers who are less than patient with low quality apps. And with these new challenges comes a new set of mistakes testers can make! Fred Beringer works with dozens of mobile test teams to help them avoid common traps when building test automation for mobile apps. Fred shares some useful best practices, starting with mobile test automation. He explains what and where to automate, how to build testability into a mobile app, how to handle unreliable back-end calls and different device performance, and how to automate the automation. Fred shares real customer stories and shows how small changes in process can make mobile apps ten times more reliable.
Ops Happen: Improve Security Without Getting in the Way
The document discusses how operations and security teams are under pressure to deploy code faster while maintaining reliability and security, and proposes a "shift left" approach to incident response where developers define procedures for fixing issues in their code and are responsible for responding to incidents involving that code. It describes a design pattern where organizations establish a secure operations portal, develop an SDLC for operations procedures, and connect with management systems to enable developers to more proactively address operations and security issues.
Amy DeMartine - 7 Habits of Rugged DevOps
The document outlines seven habits that DevOps teams can adopt to increase application security. The habits are: 1) Increase trust and transparency between development, security, and operations teams. 2) Understand the probability and impact of specific security risks. 3) Discard detailed security roadmaps in favor of incremental improvements. 4) Use continuous delivery pipelines to incrementally improve security practices. 5) Standardize and continuously update third-party software. 6) Govern with automated audit trails. 7) Test security preparedness through "security games". Adopting these habits helps integrate security across the development lifecycle to reduce vulnerability discovery and remediation time.
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases
This document summarizes two real world cases where companies implemented security automation to help address challenges of securing applications in agile development environments. The first case involved an insurance company transitioning to DevOps and agility, where integrated automated testing helped provide security visibility and training. The second case involved a retailer with an established agile shop where a process-driven security workflow was created to integrate testing into their DevOps pipeline on a weekly basis. Both cases aimed to balance rapid development needs with continuous security.
DevOps and the Future of Information Security
This document discusses how DevOps affects information security. It begins by motivating the talk and explaining that information systems need higher quality and faster delivery. Security is often an afterthought in development. The document then discusses what DevOps truly means, debunking several myths including that it replaces Agile or is incompatible with security and compliance. DevOps is explained as a way of thinking about work that emphasizes team collaboration across development and operations. This enables more efficient risk mitigation and implementation of security principles throughout the software development lifecycle.
Turning security into code by Jeff Williams
Jeff Williams discusses turning security into code by adopting a DevOps approach to application security. He outlines three "ways" to do this: 1) Establish a continuous security workflow, 2) Ensure instant security feedback loops, and 3) Encourage a security-focused culture. The goal is to make security work an integral part of the development process through automation, integration, and cultural changes.
The R.O.A.D to DevOps
Dan Glass, CISO of American Airlines, presented on developing rugged systems through an approach called Rugged DevOps. The presentation outlined four focus areas - Rugged Systems, Operational Excellence, Actionable Intelligence, and Defensible Platforms. For each area, Glass provided 3-4 sentences on how American Airlines will ensure systems can withstand hostile environments, adapt to changes, meet enterprise standards, maintain reliability through standardization, harvest and analyze data to enable quick decisions, and develop platforms that are hardened and can withstand attacks. The presentation concluded by answering questions on how to discuss products with vendors, changing mindsets, and balancing automation, legacy systems, and accountability.
TDC PoA submission
This document provides an introduction to DevSecOps, which involves integrating security teams and practices into the development lifecycle earlier through a "shift left" approach. It discusses threat modeling to understand security risks, using static and dynamic application security testing tools, checking for vulnerabilities in open source dependencies, securing infrastructure, and defining metrics to measure the effectiveness of applying security measures earlier. The goal of DevSecOps is to find and fix security issues as early as possible through continuous integration and delivery of secure software.
Lessons learned from Detroit to Deming by Derek Weeks
This document discusses the importance of DevSecOps and securing the software supply chain. It notes that modern applications and containers are increasingly assembled from many components, with 80-90% consisting of assembled parts. However, many open source components have known vulnerabilities, with only around 15-16% being fixed. It advocates for treating security as a system property and not passing defects downstream. The rewards of a trusted software supply chain include improvements like 90% faster deployments and 48% better application quality. Businesses are ultimately responsible for securing their data and systems.
Continuous Delivery in the World of Enterprise PHP
This document discusses continuous delivery in the context of enterprise PHP applications. It begins with brief biographical information about the presenter, Joshua Solomin, identifying him as an enterprise software expert, baker, and biker. It then discusses how open source and agility are linked. The document notes that agile development alone is not enough, as most developers experience delays in deploying code to production environments, often due to a lack of collaboration, automation, inconsistent environments, or lack of visibility. It advocates for continuous delivery practices like automation, testing, and release automation to improve deployment speed while maintaining quality. The document shares lessons learned from implementing PHP continuous delivery processes and notes that investment in DevOps and continuous delivery can yield results.
[OWASP Poland Day] Security in developer's life
This document discusses how to integrate security practices into the developer life cycle from the initial interview through onboarding and ongoing development. It recommends assessing security knowledge in interviews, providing security guides and resources for new developers, measuring reading of guides through quizzes, and using metrics to improve security processes over time. The goal is to make developers aware of security best practices from their first days of work and involve them in an ongoing security culture.
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
This webinar on DevOps and security will cover the definition of DevOps, common security challenges with the DevOps model, and how to take a "SecDevOps" approach to embed security into the development process. The presenters will discuss recommendations like increasing trust between development and security teams, using a continuous delivery pipeline to incrementally improve security, and including security as acceptance criteria for user stories. Questions from attendees will be answered at the end.
The Mobile Tester - Your place in the team with Stephen Janaway [Webinar]
Stephen Janaway of the NET-A-PORTER GROUP gave this presentation on mobile testing as part of the TEST Huddle Mobile Testing Webinar Series.
Being a tester on a mobile team is not easy. As well as a multitude of devices and OS versions to test, you find yourself being a part of extremely fast paced projects, where the need to ship an application is often seen as most important. Frequently you are the only tester in the team. In this webinar, Stephen explains some strategies to help you adapt and excel in the challenging world of mobile development.
Key Takeaways:
Why mobile development is different
The testers place in a mobile team
How you can adapt and excel
Watch the recording of the webinar here: http://testhuddle.com/resource/the-mobile-tester-your-place-in-the-team/
Zen and the art of Security Testing
Some security experts would tell you that security testing is very different from functional or non-functional software testing. They are wrong. Having worked on both sides, Paco gives 3 specific recommendations for how testers can make significant contributions to the security of their software and applications by making small changes to the way they do their software testing. The first technique has to do with selecting points in the user journey that are ripe for security testing. The second is to leverage some common free tools that enable security tests. The final technique is adjusting old school boundary value testing and equivalence class partitioning to incorporate security tests. The result is a lot of security testing done and issues fixed long before any security specialists arrive.
Key Takeaways:
-Great places in the user journey to inject security tests
- Ways to augment existing test approaches to cover security concerns
- Typical security tools that are free, cheap, and easy for software testers
Secured Development
Burhan Khalid presented on secure software development practices. He discussed the three Ps of security - People, Process, and Persistence/Practice. He emphasized that security is not just about products but also development practices. Standards for secure development include SSE-CMM, TSP-Secure, and SAMM. Practical best practices include standardizing infrastructure, isolating development environments, peer reviews, centralized bug tracking, and using appropriate tools and frameworks. Common myths debunked are that complex passwords are secure, closed source is less secure than open source, and third party testing ensures code security.
2016 - Daniel Lebrero - REPL driven development
New computers have more and more available memory which for us, programmers means we can use more memory in our applications.
However in JAVA (actually all JVM based languages) at some certain point things may get tricky, especially when we expect from our applications to be responsive all the time. This talk will focus on Garbage First collector (the new default in JDK9) which is the newest algorithm available in HotSpot JVM (not so new though) and the only one which can handle 32+GB heap size without blocking your application threads for longer than 200ms. After this talk you will have overview how G1 works, how to read the log, spot common problems and which gc settings you should avoid.
The current state of mobile testing by stephen janaway
We are increasingly moving towards mobile devices to fulfil our day-to-day computing needs. More smartphones are sold than PCs but many people are unclear on what changes to test strategies are needed when working with mobile. The rate of change within the mobile world is rapid and mobile projects are typically equally fast paced. Currently available tools are less mature than their desktop counterparts, and all of this can combine to make a mobile testing strategy more difficult to define.
This webinar will seek to answer come common challenges one may face when starting to test mobile devices or applications, and answer some of the common questions that typically arise. Put simply, it will help you start your mobile project right, or help you make changes to an existing strategy to make it more effective.
www.eurostarconferences.com
www.testhuddle.com
The Security Pro's Guide to DevSecOps: How to Get Developers To Write Secure ...
Security pros have written countless jokes and comics maligning developers' exultant disregard for security and lauding their own long-suffering devotion to repairing reckless dev teams' vulnerable code. Yet, this narrative -- which does nothing to improve application security -- has gone on long enough. This session will help you change the conversation and the trend. You'll learn how to speak developers' language, learn about the real pressures they face in a continuous delivery environment, and discover how to get Dev, Ops, and Security teams aligned and focused on a singular goal.
Shift Left. Wait, what? No, Shift Right!!!
Presented on November 7, 2018 at Triangle DevOps (https://www.meetup.com/triangle-devops/).
Recently in the DevSecOps world there has been a call to shift left. However, application security has been shifting left for years already. What we should be doing is shifting application security to the right (production). This can be done by instrumenting applications for security.
What's hot (20)
Top Practices for Successful Mobile Test Automation
Top Practices for Successful Mobile Test Automation
Ops Happen: Improve Security Without Getting in the Way
Ops Happen: Improve Security Without Getting in the Way
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases
DevSecCon Asia 2017 Ofer Maor: AppSec DevOps automation – real world cases
Lessons learned from Detroit to Deming by Derek Weeks
Lessons learned from Detroit to Deming by Derek Weeks
Continuous Delivery in the World of Enterprise PHP
Continuous Delivery in the World of Enterprise PHP
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
Security & DevOps- Ways To Make Sure Your Apps & Infrastructure Are Secure
The Mobile Tester - Your place in the team with Stephen Janaway [Webinar]
The Mobile Tester - Your place in the team with Stephen Janaway [Webinar]
The current state of mobile testing by stephen janaway
The current state of mobile testing by stephen janaway
The Security Pro's Guide to DevSecOps: How to Get Developers To Write Secure ...
The Security Pro's Guide to DevSecOps: How to Get Developers To Write Secure ...
Similar to BHack 2012 - How to protect your web applications
_Best practices towards a well-polished DevSecOps environment (1).pdf
DevSecOps is a software development approach that encourages the adoption of security throughout the whole software development lifecycle. It favors security automation, communication, and scalability in the entire IT environments. DevSecOps infuses security practices in the DevOps process.
Гірка правда про безпеку програмного забезпечення, Володимир Стиран
This document discusses common problems with how application security is implemented. It argues that software developers often lack security knowledge and focus on functionality over security. Security teams also lack development experience and focus on compliance over practical security. As a result, security is treated as an afterthought through ineffective practices like sole reliance on penetration testing. The document recommends a proper Secure Development Lifecycle approach involving security training, secure coding practices, testing and ongoing improvements.
Sigma Open Tech Week: Bitter Truth About Software Security
This document discusses common problems with how application security is implemented. It argues that software developers often lack security knowledge and focus on functionality over security. Security teams also lack development experience and focus on compliance over practical security. As a result, security is treated as an afterthought through ineffective practices like sole reliance on penetration testing. The document recommends a proper Secure Development Lifecycle approach involving security training, secure coding practices, testing and ongoing improvements.
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
- The document discusses "pushing left" in application security, which means involving security teams earlier in the software development lifecycle from requirements through testing.
- It outlines the key elements of an application security program including vulnerability assessments, threat modeling, code reviews, penetration testing, secure coding practices, and bug bounty programs.
- It provides advice for individuals to push left in their own work by testing their own code using a web proxy, conducting threat modeling, reviewing code for security issues, and training themselves in secure coding best practices.
Outpost24 webinar - Why security perfection is the enemy of DevSecOps
This document discusses how the goal of security perfection can be an enemy of DevSecOps. It argues that perfection is unattainable, can result in analysis paralysis, and does not work with an agile DevOps model. Instead, it advocates embracing a "good enough" approach where security teams focus on addressing critical risks, empower developers, shift testing left, and use compensating controls to mitigate remaining risks. The document encourages security teams to challenge whether they always require thorough vulnerability reviews, fixing of all issues, and sign-off before production to determine if they truly enable DevSecOps practices.
Improve Security through Continuous Testing
Many companies develop strong software development practices that include ongoing testing throughout the development lifecycle. But they fail to account for the testing of security-related issues. This leads to security controls being tacked on to an application just before it goes to production. With security controls implemented in this manner, more security vulnerabilities are uncovered but there is less time to correct them. As more applications move to cloud-based architectures, this will become an even greater problem as some of the protection enjoyed by applications hosted on-site no longer exists. Jeremy Faircloth discusses a better approach—ensuring that testing throughout the development lifecycle includes the appropriate focus on security controls. Jeremy illustrates this through the establishment of security-related use cases, static code analysis, dynamic analysis, fuzzing, availability testing, and other techniques. Save yourself from last minute security issues by proactively testing the security of your application!
The Journey to DevSecOps
This document summarizes Shannon Lietz's presentation on the journey to DevSecOps. Some key points include:
- DevOps practices started gaining popularity around 2010 due to influential articles and talks.
- Security decisions are now often made by DevOps teams on a daily basis rather than security teams.
- Compliance alone is not enough for security - there must be continuous improvement through testing, detection, and measurement of progress.
- A blameless culture is important for high performance, as mistakes will happen but can be addressed quickly through collaboration.
Texto de Ayuda Un2_Taller de ingles
The document provides an introduction and overview of the OWASP Testing Guide 3.0. It discusses who should use the guide, including software developers, testers, and security specialists. It describes the different OWASP guides that work together, including the Testing Guide, Developer's Guide, Code Review Guide, and Application Security Desk Reference. It emphasizes that security testing is important but not sufficient on its own, and that prioritization and choosing the right techniques is important to provide effective security coverage. Automated tools have limitations and manual techniques may be more effective for finding serious flaws. Developers are encouraged to get familiar with the guidance to help build more secure software.
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
The document discusses the concept of DevSecOps, which involves taking a holistic approach to shift security left in the software development process. It involves collaboration between developers, operations, and security teams. DevSecOps aims to build security and compliance into software development from the beginning through processes and tools. The document provides examples of how DevSecOps operates and is organized, the skills required, challenges to adoption, and emphasizes the importance of experimentation. It argues that with everyone participating in DevSecOps, safer software can be developed sooner.
"You Got That SIEM. Now What Do You Do?" by Dr. Anton Chuvakin
"You Got That SIEM. Now What Do You Do?" by Dr. Anton Chuvakin
Many who acquired SIEM tools have realized that they are not ready to use many of the advanced correlation features, despite promises that "they are easy to use." So, what should you do to achieve success with SIEM? What logs should you collect? Correlate? Review? How do you use log management as a step before SIEM? What process absolutely must be built before SIEM purchase becomes successful.Here you can learn from the experience of those who did not have the benefit of learning from other's mistakes. Also, learn a few tips on how to "operationalize" that SIEM purchase you've made. And laugh at some hilarious stories of "SIEM FAIL" of course!
HouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019 Offensive Security - Starting from Scratch. Learn from Spencer Koch and Altaz Valani about how to build an offensive security program from scratch, incorporating application security, infrastructure vulnerability management, hardening, devsecops, security champions, and red teaming. Be able to organize these capabilities to tell a story and build maturity to help your organization be more secure. Includes gotchas and lessons learned from industry experience.
DevOps and the Future of InfoSec
DevOps and the Future of InfoSec
The document discusses how DevOps affects how data and computer systems are secured. It defines DevOps as a philosophy about how work is done, not a role, and emphasizes collaboration between development and operations. DevOps aims to deliver higher quality software faster through principles like automation, infrastructure as code, and integrating security into the software development lifecycle. The document argues that security principles have not changed with DevOps, but how they are implemented has to account for DevOps practices like deploying code more frequently.
Fixing security by fixing software development
Fixing Security by Fixing Software Development Using Continuous Deployment
Do you have an effective release cycle? Is your process long and archaic? Long release cycle are typically based on assumptions we haven't seen since the 1980s and require very mature organizations to implement successfully. They can also disenfranchise developers from caring or even knowing about security or operational issues. Attend this session to learn more about an alternative approach to managing deployments through Continuous Deployment, otherwise known as Continuous Delivery. Find out how small, but frequent changes to the production environment can transform an organization’s development process to truly integrate security. Learn how to get started with continuous deployment and what tools and process are needed to make implementation within your organization a (security) success.
MacIT 2014 - Essential Security & Risk Fundamentals
This document provides an overview of essential security and risk fundamentals presented by Alison Gianotto. It begins by defining what security and risk management are and are not. Security is described as an ongoing group effort focused on understanding and protecting valuable assets, information, and people through multi-layered defenses. Risk management is outlined as a tool to help make informed decisions, not something that hinders innovation. The document then covers the CIA security triad of confidentiality, integrity, and availability. It concludes by offering immediate actions organizations can take to improve security such as establishing a risk-first approach, automating processes, and developing incident response plans.
Ensuring Security through Continuous Testing
Many companies develop strong software development practices that include ongoing testing throughout the development lifecycle but fail to account for the testing of security-related use cases. This leads to security controls being tacked on to an application just before it goes to production. With security controls implemented in this manner, more security vulnerabilities will be found with less time to correct them. As more applications move to cloud-based architectures, this will become an even greater problem as some of the protection enjoyed by applications hosted on-premise no longer exists. Jeremy Faircloth discusses a better approach—ensuring that testing throughout the development lifecycle includes the appropriate focus on security controls. Jeremy illustrates this through the establishment of security-related use cases, static code analysis, dynamic analysis, fuzzing, availability testing, and other techniques. Save yourself from last minute security issues by proactively testing the security of your application!
Building a Security culture at Skyscanner 2016
This document summarizes the career and work experiences of Stu Hirst, currently the IT Security Manager and Squad Lead at Skyscanner. It discusses his background in mainframe programming and the music industry before moving into security. It then provides details about Skyscanner, including its growth from 30 to 800+ employees. The rest of the document outlines the security practices and initiatives implemented at Skyscanner over time, including two-factor authentication, user data standards, security training, bug bounty programs, and more. It discusses both successes and challenges, with an emphasis on building security into development processes from the start.
Faster Secure Software Development with Continuous Deployment - PH Days 2013
This document discusses moving to a continuous deployment model to improve software security. It argues that the traditional release-based model is harmful, especially for security, as it results in long delays between when code is written and deployed. Continuous deployment aims to deploy small changes frequently, with developers pushing their own code to production. This gets developers more invested in the quality and security of the code they write. It also allows faster fixing of bugs and security issues when they are found. The document outlines steps to gradually implement continuous deployment and address common concerns about its impact on quality, compliance, and customers.
DevSecOps with Microsoft Tech
DevSecOps with Microsoft Tech discusses how security fits within DevOps practices. DevOps aims to improve quality and speed of delivery through collaboration between development and operations teams. Security is often an afterthought but needs to be integrated throughout the software development lifecycle. DevSecOps ensures security controls are implemented at every stage to improve quality, security and compliance outcomes. Key principles like least privilege, defense in depth and auditing still apply, but are implemented more frequently and at a more localized scale through DevOps practices.
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
An overview of how to change security from a reactive part of the org to a collaborative part of the agile development process. Using concepts from agile and DevOps, how can applicaton security get as nimble as product development has become.
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
This document discusses the benefits of joining OWASP Russia, an open community dedicated to improving web application security. It notes that OWASP provides free security tools, best practices, projects to contribute to, and opportunities for career growth and networking. The author highlights several popular OWASP projects and tools. OWASP Russia started in 2012 and provides translations, meetups, and experience sharing to support the global OWASP community. The document encourages volunteering or participating in discussions, events, and projects like the OWASP Secure Configuration Guide to help harden systems against misconfiguration issues.
Similar to BHack 2012 - How to protect your web applications (20)
_Best practices towards a well-polished DevSecOps environment (1).pdf
_Best practices towards a well-polished DevSecOps environment (1).pdf
Гірка правда про безпеку програмного забезпечення, Володимир Стиран
Гірка правда про безпеку програмного забезпечення, Володимир Стиран
Sigma Open Tech Week: Bitter Truth About Software Security
Sigma Open Tech Week: Bitter Truth About Software Security
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
DevSecCon Singapore 2018 - Pushing left like a boss by Tanya Janca
Outpost24 webinar - Why security perfection is the enemy of DevSecOps
Outpost24 webinar - Why security perfection is the enemy of DevSecOps
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
"You Got That SIEM. Now What Do You Do?" by Dr. Anton Chuvakin
"You Got That SIEM. Now What Do You Do?" by Dr. Anton Chuvakin
HouSecCon 2019: Offensive Security - Starting from Scratch
HouSecCon 2019: Offensive Security - Starting from Scratch
MacIT 2014 - Essential Security & Risk Fundamentals
MacIT 2014 - Essential Security & Risk Fundamentals
Faster Secure Software Development with Continuous Deployment - PH Days 2013
Faster Secure Software Development with Continuous Deployment - PH Days 2013
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
Dev ops ci-ap-is-oh-my_security-gone-agile_ut-austin
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
[1.1] Почему вам стоит поучаствовать в жизни OWASP Russia - Александр Антух
More from Magno Logan
DevSecOps - Integrating Security in the Development Process (with memes) - Ma...
The document discusses shifting security left in the software development lifecycle using an agile approach and automation tools. It recommends planning security from the beginning of the development process. Automation is key to continuously test for vulnerabilities during integration and development. Tools mentioned include an open source CI server to detect errors, Zed Attack Proxy to automatically find web application vulnerabilities, and various resources on securing the DevOps pipeline.
Katana Security - Consultoria em Segurança da Informação
A Katana Security é uma empresa de consultoria em segurança da informação da Paraíba, fundada por Magno Rodrigues. Ela oferece serviços como análises de segurança, auditoria PCI, testes de segurança em aplicações e infraestrutura, revisão de código, e treinamentos em segurança da informação. A empresa também fornece licenças de ferramentas de teste de segurança como Syhunt, Netsparker e Acunetix.
OWASP Top 10 2010 para JavaEE (pt-BR)
OWASP Top 10 2010 para JavaEE (pt-BR)
Versão traduzida e atualizada do OWASP Top 10 2007 for JavaEE
Traduzida por: Magno Logan (OWASP Paraíba Chapter Leader)
XST - Cross Site Tracing
The document discusses a new web security technique called cross-site tracing (XST) that can bypass the HTTP-only security feature in Internet Explorer 6 SP1 and perform cross-site scripting attacks. XST exploits the TRACE HTTP request method, which echoes request information to the client, to obtain authentication cookies from other domains over HTTP and HTTPS. While HTTP-only helps prevent cookie access via JavaScript, XST can still access cookies through TRACE requests.
OWASP Top 10 2007 for JavaEE
This document provides an overview of the top 10 most critical web application security vulnerabilities for Java EE applications. It discusses each vulnerability in detail, including cross-site scripting (XSS), injection flaws, malicious file execution, insecure direct object references, cross-site request forgery (CSRF), information leakage, broken authentication, insecure cryptographic storage, insecure communications, and failure to restrict URL access. For each issue, it explains how attackers exploit the vulnerability and provides recommendations for protecting against the risk. The goal is to educate developers on common security risks and how to build more secure Java EE applications.
XPath Injection
XPath injection occurs when user-supplied input is used to construct an XPath query without sanitization, allowing an attacker to access unauthorized XML data or elevate privileges. Like SQL injection, malicious XPath can expose sensitive information or take control of authentication by modifying the query. The WebCruiser tool can scan for and prove XPath injection vulnerabilities by modifying queries and observing the results.
SQL Injection
The document discusses SQL injection, including forms of vulnerability like incorrectly filtered escape characters and incorrect type handling. It describes preventing SQL injection through parameterized statements, escaping user input, and using a web vulnerability scanner. Parameterized statements are the preferred method, binding user input to parameters in the SQL query rather than embedding it. Enforcement can occur at the database or coding level. Escaping user input is an alternative but not as robust as parameterized statements.
SQL Injection Tutorial
This document provides a tutorial on SQL injection, including:
- Explaining what SQL injection is and how it works by exploiting vulnerabilities in database queries
- Steps to test for SQL injection vulnerabilities like determining the database type and getting environment information
- Methods for extracting data through SQL injection like getting database, table, and column names and record data
- Recommending the use of automated SQL injection scanning tools like WebCruiser to more efficiently test for and exploit SQL injection vulnerabilities
- Instructions for setting up sample PHP/MySQL and ASP/SQL Server testing environments to practice SQL injection techniques
OWASP Top 10 2010 pt-BR
1) O documento discute os riscos de segurança mais críticos em aplicações web, conhecidos como OWASP Top 10.
2) A lista dos 10 riscos foi atualizada para 2010 com a adição de dois novos itens e remoção de dois itens anteriores.
3) O objetivo do Top 10 é educar sobre como avaliar e mitigar esses riscos nas aplicações, melhorando assim a segurança.
Tratando as vulnerabilidades do Top 10 do OWASP by Wagner Elias
Este documento apresenta as dez vulnerabilidades mais críticas em aplicações web de acordo com o OWASP Top 10 de 2007, fornecendo uma breve descrição de cada uma delas e dicas de como tratá-las em PHP. O palestrante discute XSS, falhas de injeção, execução maliciosa de arquivos, referência direta a objetos, CSRF, vazamento de informações, furos de autenticação e outras ameaças comuns.
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
The document discusses various web application vulnerabilities from the OWASP Top 10 list, including cross-site scripting (XSS), SQL injection, remote file inclusion, insecure direct object references, and cross-site request forgery (CSRF). It provides examples of each vulnerability type and recommendations for prevention. It also introduces Mutillidae, a deliberately vulnerable web application that can be used to demonstrate these vulnerabilities in a controlled environment.
Co0L 2011 - Segurança em Sites de Compras Coletivas: Vulnerabilidades, Ataqu...
Co0L 2011 - Segurança em Sites de Compras Coletivas: Vulnerabilidades, Ataques e Contra-medidas
Maio de 2011 em SP
http://garoa.net.br/wiki/O_Outro_Lado
AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and Stefano di P...
This document discusses HTTP Parameter Pollution (HPP), a technique for overriding or adding HTTP parameters by injecting query string delimiters. It can enable server-side attacks by modifying backend requests or bypassing web application firewalls. On the client-side, HPP can inject additional parameters into links and tags to enable attacks like anti-CSRF, UI redressing, or modifying POST requests. Real-world examples show HPP bypassing filters and accessing internal search results. The document categorizes HPP attacks and argues it is an underestimated issue affecting all web technologies.
AppSec EU 2011 - An Introduction to ZAP by Simon Bennetts
ZAP (Zed Attack Proxy) is an open source web application penetration testing tool that is easy to use, cross-platform, and has been downloaded over 6,300 times. It includes features like an intercepting proxy, active and passive scanners, a spider, and report generation that allow it to test web applications for vulnerabilities. ZAP has an active international development community, is improving rapidly with new releases, and has the potential to introduce more people to application security best practices.
OWASP Floripa - Web Spiders: Automação para Web Hacking by Antonio Costa aka ...
O documento discute sobre web spiders e fornece exemplos de código em C para criar um web spider simples. Também aborda casos de uso comuns de web spiders, como mineração de dados e autenticação em sites, e menciona ferramentas como Selenium para automação no navegador.
AppSec Brazil 2010 - Utilizando a ESAPI para prover Segurança em Aplicações W...
O documento discute o uso da biblioteca OWASP ESAPI para fornecer segurança em aplicações web. Apresenta os objetivos e roteiro do curso, que inclui uma introdução às vulnerabilidades comuns e à arquitetura da ESAPI, com exemplos em Java. Também aborda conceitos como injeção de código e OWASP Top 10.
AppSec DC 2009 - Learning by breaking by Chuck Willis
Chuck Willis proposes a new OWASP project called the "OWASP Broken Web Applications Project" that would provide a virtual machine containing intentionally vulnerable web applications. The virtual machine would contain various vulnerable versions of applications like WebGoat, WordPress, and phpBB to allow testing of vulnerability scanning, code analysis, and other security tools. Willis is seeking help expanding and maintaining the project.
GTS 17 - OWASP em prol de um mundo mais seguro
GTS 17 - OWASP em prol de um mundo mais seguro
Maio 2011 em SP.
https://gts.nic.br/reunioes/gts-17
ENSOL 2011 - OWASP e a Segurança na Web
O documento apresenta uma palestra sobre segurança na web e ferramentas de teste de vulnerabilidades. Resume as principais vulnerabilidades do OWASP Top 10, como injeção de SQL, XSS e falhas de autenticação. Demonstra exemplos e explica como evitar essas falhas. Também apresenta ferramentas open source como OWASP ZAP, Mantra e SQLmap para teste de aplicações.
AppSec Latam 2011 - Treinamento OWASP Top 10 + JavaEE
1) O documento apresenta uma palestra sobre as principais vulnerabilidades de segurança em aplicações web, focando no OWASP Top 10, e demonstra como explorá-las e protegê-las utilizando ferramentas e boas práticas de programação.
2) São discutidas vulnerabilidades como injeção de SQL, cross-site scripting, falhas na autenticação e controle de sessão e referências inseguras a objetos.
3) Também são apresentadas demonstrações práticas de como explorar essas vulnerabilidades e como evitá-
More from Magno Logan (20)
DevSecOps - Integrating Security in the Development Process (with memes) - Ma...
DevSecOps - Integrating Security in the Development Process (with memes) - Ma...
Katana Security - Consultoria em Segurança da Informação
Katana Security - Consultoria em Segurança da Informação
Tratando as vulnerabilidades do Top 10 do OWASP by Wagner Elias
Tratando as vulnerabilidades do Top 10 do OWASP by Wagner Elias
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Mutillidae and the OWASP Top 10 by Adrian Crenshaw aka Irongeek
Co0L 2011 - Segurança em Sites de Compras Coletivas: Vulnerabilidades, Ataqu...
Co0L 2011 - Segurança em Sites de Compras Coletivas: Vulnerabilidades, Ataqu...
AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and Stefano di P...
AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and Stefano di P...
AppSec EU 2011 - An Introduction to ZAP by Simon Bennetts
AppSec EU 2011 - An Introduction to ZAP by Simon Bennetts
OWASP Floripa - Web Spiders: Automação para Web Hacking by Antonio Costa aka ...
OWASP Floripa - Web Spiders: Automação para Web Hacking by Antonio Costa aka ...
AppSec Brazil 2010 - Utilizando a ESAPI para prover Segurança em Aplicações W...
AppSec Brazil 2010 - Utilizando a ESAPI para prover Segurança em Aplicações W...
AppSec DC 2009 - Learning by breaking by Chuck Willis
AppSec DC 2009 - Learning by breaking by Chuck Willis
AppSec Latam 2011 - Treinamento OWASP Top 10 + JavaEE
AppSec Latam 2011 - Treinamento OWASP Top 10 + JavaEE
Recently uploaded
Fueling AI with Great Data with Airbyte Webinar
This talk will focus on how to collect data from a variety of sources, leveraging this data for RAG and other GenAI use cases, and finally charting your course to productionalization.
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
This case study explores designing a scalable e-commerce platform, covering key requirements, system components, and best practices.
Building Production Ready Search Pipelines with Spark and Milvus
Spark is the widely used ETL tool for processing, indexing and ingesting data to serving stack for search. Milvus is the production-ready open-source vector database. In this talk we will show how to use Spark to process unstructured data to extract vector representations, and push the vectors to Milvus vector database for search serving.
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean Lotus cyber threat actors represent a sophisticated, persistent, and politically motivated group that poses a significant risk to organizations and individuals in the Southeast Asian region. Their continuous evolution and adaptability underscore the need for robust cybersecurity measures and international cooperation to identify and mitigate the threats posed by such advanced persistent threat groups.
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift
Overview
Dive into the world of anomaly detection on edge devices with our comprehensive hands-on tutorial. This SlideShare presentation will guide you through the entire process, from data collection and model training to edge deployment and real-time monitoring. Perfect for those looking to implement robust anomaly detection systems on resource-constrained IoT/edge devices.
Key Topics Covered
1. Introduction to Anomaly Detection
- Understand the fundamentals of anomaly detection and its importance in identifying unusual behavior or failures in systems.
2. Understanding Edge (IoT)
- Learn about edge computing and IoT, and how they enable real-time data processing and decision-making at the source.
3. What is ArgoCD?
- Discover ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes, and its role in deploying applications on edge devices.
4. Deployment Using ArgoCD for Edge Devices
- Step-by-step guide on deploying anomaly detection models on edge devices using ArgoCD.
5. Introduction to Apache Kafka and S3
- Explore Apache Kafka for real-time data streaming and Amazon S3 for scalable storage solutions.
6. Viewing Kafka Messages in the Data Lake
- Learn how to view and analyze Kafka messages stored in a data lake for better insights.
7. What is Prometheus?
- Get to know Prometheus, an open-source monitoring and alerting toolkit, and its application in monitoring edge devices.
8. Monitoring Application Metrics with Prometheus
- Detailed instructions on setting up Prometheus to monitor the performance and health of your anomaly detection system.
9. What is Camel K?
- Introduction to Camel K, a lightweight integration framework built on Apache Camel, designed for Kubernetes.
10. Configuring Camel K Integrations for Data Pipelines
- Learn how to configure Camel K for seamless data pipeline integrations in your anomaly detection workflow.
11. What is a Jupyter Notebook?
- Overview of Jupyter Notebooks, an open-source web application for creating and sharing documents with live code, equations, visualizations, and narrative text.
12. Jupyter Notebooks with Code Examples
- Hands-on examples and code snippets in Jupyter Notebooks to help you implement and test anomaly detection models.
Finale of the Year: Apply for Next One!
Presentation for the event called "Finale of the Year: Apply for Next One!" organized by GDSC PJATK
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Discover how MongoDB Atlas and vector search technology can revolutionize your application's search capabilities. This comprehensive presentation covers:
* What is Vector Search?
* Importance and benefits of vector search
* Practical use cases across various industries
* Step-by-step implementation guide
* Live demos with code snippets
* Enhancing LLM capabilities with vector search
* Best practices and optimization strategies
Perfect for developers, AI enthusiasts, and tech leaders. Learn how to leverage MongoDB Atlas to deliver highly relevant, context-aware search results, transforming your data retrieval process. Stay ahead in tech innovation and maximize the potential of your applications.
#MongoDB #VectorSearch #AI #SemanticSearch #TechInnovation #DataScience #LLM #MachineLearning #SearchTechnology
Letter and Document Automation for Bonterra Impact Management (fka Social Sol...
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on automated letter generation for Bonterra Impact Management using Google Workspace or Microsoft 365.
Interested in deploying letter generation automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
A Mix Chart displays historical data of numbers in a graphical or tabular form. The Kalyan Rajdhani Mix Chart specifically shows the results of a sequence of numbers over different periods.
Introduction of Cybersecurity with OSS at Code Europe 2024
I develop the Ruby programming language, RubyGems, and Bundler, which are package managers for Ruby. Today, I will introduce how to enhance the security of your application using open-source software (OSS) examples from Ruby and RubyGems.
The first topic is CVE (Common Vulnerabilities and Exposures). I have published CVEs many times. But what exactly is a CVE? I'll provide a basic understanding of CVEs and explain how to detect and handle vulnerabilities in OSS.
Next, let's discuss package managers. Package managers play a critical role in the OSS ecosystem. I'll explain how to manage library dependencies in your application.
I'll share insights into how the Ruby and RubyGems core team works to keep our ecosystem safe. By the end of this talk, you'll have a better understanding of how to safeguard your code.
June Patch Tuesday
Ivanti’s Patch Tuesday breakdown goes beyond patching your applications and brings you the intelligence and guidance needed to prioritize where to focus your attention first. Catch early analysis on our Ivanti blog, then join industry expert Chris Goettl for the Patch Tuesday Webinar Event. There we’ll do a deep dive into each of the bulletins and give guidance on the risks associated with the newly-identified vulnerabilities.
Presentation of the OECD Artificial Intelligence Review of Germany
Consult the full report at https://www.oecd.org/digital/oecd-artificial-intelligence-review-of-germany-609808d6-en.htm
Taking AI to the Next Level in Manufacturing.pdf
Read Taking AI to the Next Level in Manufacturing to gain insights on AI adoption in the manufacturing industry, such as:
1. How quickly AI is being implemented in manufacturing.
2. Which barriers stand in the way of AI adoption.
3. How data quality and governance form the backbone of AI.
4. Organizational processes and structures that may inhibit effective AI adoption.
6. Ideas and approaches to help build your organization's AI strategy.
Best 20 SEO Techniques To Improve Website Visibility In SERP
Boost your website's visibility with proven SEO techniques! Our latest blog dives into essential strategies to enhance your online presence, increase traffic, and rank higher on search engines. From keyword optimization to quality content creation, learn how to make your site stand out in the crowded digital landscape. Discover actionable tips and expert insights to elevate your SEO game.
Skybuffer SAM4U tool for SAP license adoption
Manage and optimize your license adoption and consumption with SAM4U, an SAP free customer software asset management tool.
SAM4U, an SAP complimentary software asset management tool for customers, delivers a detailed and well-structured overview of license inventory and usage with a user-friendly interface. We offer a hosted, cost-effective, and performance-optimized SAM4U setup in the Skybuffer Cloud environment. You retain ownership of the system and data, while we manage the ABAP 7.58 infrastructure, ensuring fixed Total Cost of Ownership (TCO) and exceptional services through the SAP Fiori interface.
Recently uploaded (20)
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Deep Dive: AI-Powered Marketing to Get More Leads and Customers with HyperGro...
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Monitoring and Managing Anomaly Detection on OpenShift.pdf
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Letter and Document Automation for Bonterra Impact Management (fka Social Sol...
Letter and Document Automation for Bonterra Impact Management (fka Social Sol...
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
BHack 2012 - How to protect your web applications
- 1. How to protect your web applications Magno Logan magno.logan@owasp.org OWASP Paraíba Chapter Leader
- 2. About Me Who am I? ! • Ex-developer • Security Analyst • Chapter Leader • Martial Arts • Investments
- 3. Agenda ! • They are everywhere! • Testing, testing, testing… • Guides, tools and much more • The insecure software lifecycle • How to solve these problems
- 5. And they have bugs everywhere! ! • The cost of a data breach averages $5.5 million or $194 per customer record* ! • Companies that take security seriously can reduce the cost per customer by up to 62% ! ! ! ! * From a 2011 study by the Ponemon Institute
- 6. So, how to protect them?! ! 1. Security Testing ! 2. Code Review ! 3. SDL
- 7. OWASP Top 10 2010 Testing, testing, testing…
- 8. And more testing… 2011 CWE/SANS Top 25
- 9. So what do they do? ! • Protect you from common mistakes ! • Avoid you from getting hacked by automated tools/scanners and script kiddies ! By the way, if you work with AppSec and you never heard of these two docs…
- 10. You need to find another job!
- 11. Many more FREE resources! Not just OWASP stuff…
- 12. Ok, now what?! OWASP Code Review Guide ! • Code review takes a deeper look into your app ! • Things that automated scanners won’t find ! • You’ll see the common mistakes devs make
- 13. We fixed the problems. How to stop them? ! • Implement a SDL process ! • Train your developers about app security ! • They don’t need to be experts, at least know how it works and how to protect their apps
- 14. Yay! More free stuff… ! • OWASP ASVS – verify your security ! • OWASP OpenSAMM – create a security program ! • OWASP Developer’s Guide – tips to devs
- 15. It’s not that simple… ! • If we have all that, why aren’t our apps secure? ! • Why even the big companies don’t follow the basic rules? Hello Linkedin!
- 16. We know, we know… ! • Security costs money. Yeah, but so does development, support, operations, etc. ! • Security costs money. But it will save you a lot more! ! Why most companies still don’t see the value of security until they get hacked?
- 17. Like Dinis Cruz said at AppSec Latam 2011: ! Unless you’ve been hacked before… ! If it compiles, Ship it! ! That’s the motto in most dev companies
- 18. The real picture (Developer’s view) ! • They don’t like the security teams ! • They already work on a tight schedule ! • Security will increase their programming time
- 19. How it should be… ! • Dev and infosec should work together ! • Security practices and implementations should be included in the schedule time ! • It will increase the apps protection and decrease the amount of bugs and work
- 20. In a nutshell… ! • Security is not a plugin, it’s a process. ! • Test everything, every time they change. ! • Allocate time for security testing within your project ! • Never assume security controls are effective
- 22. References ! Wagner Elias. “Testar não é suficiente, tem que fazer direito!”. YSTS 2012 ! Dinis Cruz. “Making Security Invisible by Becoming the Developer's Best Friends”. OWASP AppSec Latam 2011 ! Building Secure Web Applications Infographic - http:// www.veracode.com/blog/2012/06/building-secure-web- applications-infographic/ ! OWASP - www.owasp.org